CreateDesktop SECURITY_ATTRIBUTES

I want to create a desktop, using CreateDesktop, that non-system
process can't access. The process that creates the desktop is running
as system. I don't know much about the security API functions, but I
imagine it only takes a few lines of code to create a security
descriptor based on the user my process is running as (so only that
user has access, SYSTEM in my case), then I can pass that to my
CreateDesktop call.

I tried NULL to CreateDesktop, but I'm still able to bring up task
manager and then launch a new explorer.exe in the new desktop... I
don't want non-admin users to be able to do this, the desktop should
be restricted to my process (and system processes I don't mind).

I've got this code I use for creating named-pipes, which gives full
access to everyone:

SECURITY_ATTRIBUTES sa;
memset(&sa,0,sizeof(sa));
sa.nLength = sizeof(sa);
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = &sd;
InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPT OR_REVISION);
SetSecurityDescriptorDacl(&sd,TRUE,(PACL)0,FALSE);

I assume SetSecurityDescriptorDacl probably just needs to be replaced
with one or two other functions...?